I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Renting a server from Amazon Web Services promises all the advantages of the Cloud: ephemeral, convenient computing without the nuisance of owning hardware. In fact, it may be more like renting a house where the last tenant left his junk in the closets and hasn’t changed the locks.

Researchers at France’s Eurecom technology institute, Northeastern University and the security firm SecludIT ran automated scanning tools on more than 5,000 of the virtual machines images published on Amazon’s catalog of virtual machines set up with preset software and configurations and ready to run on Amazon’s Elastic Compute Cloud (EC2) service. They looked for security and privacy issues like malware, software vulnerabilities, and leftover data and user accounts from the administrator who set up the server’s software.

The results, which the team plans to present a paper at the Symposium on Applied Computing next March, aren’t pretty: 22% of the machines were still set up to allow a login by whoever set up the virtual machine’s software–either Amazon or one of the many other third party companies like Turnkey and Jumpbox that sell preset machine images running on Amazon’s cloud. Almost all of the machines ran outdated software with critical security vulnerabilities, and 98% contained data that the company or individual who set up the machine for users had intended to delete but could still be extracted from the machine.

“If the guy who set up the machine forgot to erase his credentials or left them there on purpose, everyone who has the credential can log into the server,” says Marco Balduzzi, one of the Eurecom researchers on the team. “You rent this machine for personal use, and someone else has a kind of a backdoor to it already.”

Balduzzi points out that it would be possible to publish a server image in Amazon’s catalog with the intent of infecting the user with malware or exploiting a backdoor to steal information. But in some cases it was the creator of the machine image who was put at risk by leaving private keys on the server or failing to completely erase his or her own data before publishing it for customers to use, Balduzzi says.

The research team notified Amazon about the issues last summer, and the company responded by posting a notice to its customers and partners about the problem. “We have received no reports that these vulnerabilities have been actively exploited,” the company wrote at the time. “The purpose of this document is to remind users that it is extremely important to thoroughly search for and remove any important credentials from an [Amazon Machine Image (AMIs)] before making it publicly available.”

Amazon spokesperson Kay Kinton sent me a statement, noting that “Customers have complete control over what information they include, or not, within the AMIs they choose to make publicly available,” and pointing to acouple Amazon pages on using AMI’s securely.

Balduzzi says that an Amazon representative similarly told him that the company considers the issue to be one between users and the third party companies that offer software on Amazon’s platform. “They told me it’s not their concern, they just provide computing power,” Balduzzi says. “It’s like if you upload naked pictures to Facebook. It’s not a good practice, but it’s not Facebook’s problem.”

The Eurecom team’s research isn’t the first to point out security issues in Amazon’s cloud services. Just earlier this week, a team of German researchers revealed a collection of vulnerabilities in Amazon’s web interface that allowed potential data theft from the company’s cloud platform. Amazon has now patched those flaws.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

Nice article Andy. We often hear reports of data left behind. We refer to it as orphaned data. We see it as another important reason to encrypt all of your data at rest as a last line of defense. This is particularly important in the cloud, when images are often spun up and shut down at the drop of a hat. If the orphaned data is encrypted, then it’s not a security risk.